Matt Suiche of Magnet Forensics talks about top security threats for organizations and strategies for effective incident response.
The “Top 10 actions to secure your environment” series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In “Step 7. Discover shadow IT and take control of cloud apps,” you’ll learn how to set up Microsoft Cloud App Security (MCAS) to identify, access, and manage the cloud applications used by your organization.
Cloud-based services have significantly increased productivity for today’s workforce, prompting users to adopt new cloud apps and services and making it a challenge for you to keep up. Microsoft Cloud App Security (MCAS), a cloud access security broker (CASB), helps you gain control over shadow IT with tools that give you visibility into the cloud apps and services used in your organization, asses them for risk, and provide sophisticated analytics. You can then make an informed decision about whether you want to sanction the apps you discover or block them from being accessed.
Your users are in the cloud—even if you aren’t
Whether or not your organization has started its move to the cloud, your workforce probably has. Users in large enterprises use an average of 1,181 cloud applications—of those services, 60 percent go undetected by IT. MCAS can help you discover those apps and services and enable you to establish a lifecycle management approach for your cloud services (Figure 1).
We’ll show you how to set up continuous reporting, which can help you maintain vigilance over the cloud-based services accessed from your network and create workflows for automatic management of unsanctioned or newly discovered apps. Then we’ll explain how you can extend your monitoring capabilities on managed Windows 10 PCs beyond the corporate network by walking through the integration with Windows Defender Advanced Threat Protection (ATP), now Microsoft Defender ATP.
We recommend three actions to enable discovery with Microsoft Cloud App Security (Figure 1):
- Deploy a log collector.
- Extend discovery beyond your network by enabling Windows Defender ATP integration.
- Create a workflow to automatically block unsanctioned apps.
Figure 1. Shadow IT discovery management lifecycle.
Deploy a log collector for continuous monitoring
Before you enable cloud discovery, you’ll need to set up your Microsoft Cloud App Security portal. A log collector provides ongoing visibility from MCAS with continuous monitoring and reporting. This capability lets you monitor cloud app usage within your network. As new cloud apps and services are introduced, or gain greater usage in your organization, MCAS provides alerts so you can take immediate action. To enable these capabilities, deploy a log collector on your network endpoints and configure automated, continuous log uploads to MCAS.
If your organization uses Zscaler or iboss as their Secure Web Gateway (SWG), you can integrate these with MCAS and eliminate the need to install log collectors on your network endpoints. These standalone SWGs integrate with MCAS to monitor your organization’s traffic and enable you to block apps inline. The SWG block capabilities are automatically applied to apps you tag as unsanctioned in the MCAS portal. Learn how to integrate Zscaler with MCAS.
Extend discovery beyond your network with Windows Defender ATP
MCAS uniquely integrates with Windows Defender ATP, giving you powerful tools to discover cloud apps accessed from managed Windows 10 machines on any network. The integration is enabled with a single click in the Windows Defender Security Center. Once enabled, Windows Defender ATP immediately starts sending log data to MCAS and adds a powerful machine-centric view of the discovery data. If you detect suspicious traffic from a machine, you can pivot easily between the services and continue an in-depth machine investigation in the Windows Security Center. We recommend that you enable log collectors and Windows Defender ATP integration to get the most complete view of the cloud applications used by your organization.
Watch the following video on how Cloud App Security integrates with Windows Defender ATP:
Create a workflow to automatically block unsanctioned apps
MCAS integrates with Microsoft Flow to provide centralized alert automation and orchestration of custom workflows. It enables the use of an ecosystem of connectors in Microsoft Flow to create playbooks that work with the systems of your choice and it enables automated alert triage. The discovery capabilities of Microsoft Cloud App Security can identify apps that do not meet the guidelines established by an organization with the intent to block future access. When MCAS generates a discovery alert for such an application, your organization can create a playbook to automatically execute the blocking of unwanted application domains on the firewall.
For example, in Figure 2, we use the HTTP connector and custom code with the firewall API:
Figure 2. Create a custom workflow to automatically block unsanctioned apps on your firewall.
Use the Cloud Discovery data
Once you set up MCAS to collect data, you can view that data in the Cloud Discovery dashboard. The Cloud Discovery dashboard provides an at-a-glance overview of the apps being used, their risk levels, and your open alerts (Figure 3). You can configure the dashboard to meet the needs of your organization, such as identifying top users or excluding noisy apps.
Figure 3. The Cloud Discovery dashboard provides an at-a-glance overview of the apps being used, their risk levels, and your open alerts.
From here, you can also drill down into discovered apps, IP addresses, users, and machines to help you understand which apps are being used in your organization and leverage the data and risk analysis to decide which apps you want to allow in your organization and which ones you may want to block (Figure 4).
Figure 4. Usage deep dive, providing in-depth overview of the usage and risk factors of an app.
Check back in a few weeks for our next blog post, “Step 8. Protect your documents and email,” where we will discuss how to discover, classify, and label information with Azure Information Protection, and how to protect mailboxes, online storage, and apps with Office 365 Advanced Threat Protection.